core icon indicating copy to clipboard operation
core copied to clipboard

Published 20 hours ago verified publisher icon cheshire-cat-ai

Rootless docker image

Open dave90 opened this issue 10 months ago • 5 comments

Description

Updates Dockerfile to improve container security by introducing non-root user configurations.

Parameterization of User and Group IDs: build-time arguments (USER_ONBUILD, UID_ONBUILD, GROUP_ONBUILD, GID_ONBUILD) to dynamically set the user ID (UID) and group ID (GID) along with the corresponding user and group names. User and Group Creation: creation of a non-root user (USER_ONBUILD) and group (GROUP_ONBUILD) with the specified UID and GID Directory Ownership: The ownership of the /app directory is changed to the newly created non-root user and group Related to issue #765

Type of change

  • [ ] Bug fix (non-breaking change which fixes an issue)
  • [x] New feature (non-breaking change which adds functionality)
  • [ ] Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • [ ] This change requires a documentation update

Checklist:

  • [x] My code follows the style guidelines of this project
  • [x] I have performed a self-review of my own code
  • [x] I have commented my code, particularly in hard-to-understand areas

dave90 avatar Apr 24 '24 20:04 dave90

I'm late on this one! Thanks for your patience;)

pieroit avatar Apr 24 '24 22:04 pieroit

Just tested, lgtm

AlessandroSpallina avatar Apr 26 '24 15:04 AlessandroSpallina

Just tested, lgtm

Thanks @AlessandroSpallina, also plugin dependencies? I'm late on this one, was my only concern

Also, what happens if I update the cat with the new docker image, and all plugins are under root from the previous version. If that is breacking, either we wait for v2 or a manual chown must be run on the volumes

pieroit avatar Apr 26 '24 17:04 pieroit

I can confirm that by updating the container from a previous version, there are errors on the volumes permissions (because the contents remain root).

cheshire_cat_core  | ERROR:    Traceback (most recent call last):
cheshire_cat_core  |   File "/usr/local/lib/python3.10/site-packages/starlette/routing.py", line 732, in lifespan
cheshire_cat_core  |     async with self.lifespan_context(app) as maybe_state:
cheshire_cat_core  |   File "/usr/local/lib/python3.10/contextlib.py", line 199, in __aenter__
cheshire_cat_core  |     return await anext(self.gen)
cheshire_cat_core  |   File "/app/cat/main.py", line 29, in lifespan
cheshire_cat_core  |     app.state.ccat = CheshireCat()
cheshire_cat_core  |   File "/app/cat/utils.py", line 171, in getinstance
cheshire_cat_core  |     cls.instances[class_] = class_(*args, **kwargs)
cheshire_cat_core  |   File "/app/cat/looking_glass/cheshire_cat.py", line 60, in __init__
cheshire_cat_core  |     self.mad_hatter = MadHatter()
cheshire_cat_core  |   File "/app/cat/utils.py", line 171, in getinstance
cheshire_cat_core  |     cls.instances[class_] = class_(*args, **kwargs)
cheshire_cat_core  |   File "/app/cat/mad_hatter/mad_hatter.py", line 51, in __init__
cheshire_cat_core  |     self.find_plugins()
cheshire_cat_core  |   File "/app/cat/mad_hatter/mad_hatter.py", line 93, in find_plugins
cheshire_cat_core  |     self.active_plugins = self.load_active_plugins_from_db()
cheshire_cat_core  |   File "/app/cat/mad_hatter/mad_hatter.py", line 165, in load_active_plugins_from_db
cheshire_cat_core  |     active_plugins = crud.get_setting_by_name("active_plugins")
cheshire_cat_core  |   File "/app/cat/db/crud.py", line 33, in get_setting_by_name
cheshire_cat_core  |     result = get_db().search(query.name == name)
cheshire_cat_core  |   File "/app/cat/db/database.py", line 17, in get_db
cheshire_cat_core  |     return Database().db
cheshire_cat_core  |   File "/app/cat/utils.py", line 171, in getinstance
cheshire_cat_core  |     cls.instances[class_] = class_(*args, **kwargs)
cheshire_cat_core  |   File "/app/cat/db/database.py", line 10, in __init__
cheshire_cat_core  |     self.db = TinyDB(self.get_file_name())
cheshire_cat_core  |   File "/usr/local/lib/python3.10/site-packages/tinydb/database.py", line 94, in __init__
cheshire_cat_core  |     self._storage: Storage = storage(*args, **kwargs)
cheshire_cat_core  |   File "/usr/local/lib/python3.10/site-packages/tinydb/storages.py", line 113, in __init__
cheshire_cat_core  |     touch(path, create_dirs=create_dirs)
cheshire_cat_core  |   File "/usr/local/lib/python3.10/site-packages/tinydb/storages.py", line 32, in touch
cheshire_cat_core  |     with open(path, 'a'):
cheshire_cat_core  | PermissionError: [Errno 13] Permission denied: 'cat/data/metadata.json'
cheshire_cat_core  | 
cheshire_cat_core  | ERROR:    Application startup failed. Exiting.
cheshire_cat_core  |

I'm sorry @dave90 we need to wait for v2 to merge this. Please leave it here open as it is useful! Thanks :')

pieroit avatar Apr 26 '24 18:04 pieroit

Just tested, lgtm

Thanks @AlessandroSpallina, also plugin dependencies? I'm late on this one, was my only concern

I tested it with the dietician plugin (sqlalchemy dependency) and I saw no errors so I felt everything was ok, but now I just installed a bunch of other plugins and I see errors:

dave_cheshire_cat_core  | INFO:     Started server process [1226]
dave_cheshire_cat_core  | INFO:     Waiting for application startup.
dave_cheshire_cat_core  | [2024-04-26 20:31:38.440] INFO   cat.mad_hatter.mad_hatter.MadHatter.find_plugins::102
dave_cheshire_cat_core  | "ACTIVE PLUGINS:"
dave_cheshire_cat_core  | [2024-04-26 20:31:38.445] INFO   cat.mad_hatter.mad_hatter.MadHatter.find_plugins::103
dave_cheshire_cat_core  | [
dave_cheshire_cat_core  |     "the_latest_news_in_wonderland",
dave_cheshire_cat_core  |     "core_plugin",
dave_cheshire_cat_core  |     "mood_music_for_cheshire_cat",
dave_cheshire_cat_core  |     "ccat_dietician",
dave_cheshire_cat_core  |     "ccat_hyde"
dave_cheshire_cat_core  | ]
dave_cheshire_cat_core  | [2024-04-26 20:31:38.531] INFO   cat.mad_hatter.plugin.Plugin._install_requirements::249
dave_cheshire_cat_core  | "Installing requirements for: the_latest_news_in_wonderland"
dave_cheshire_cat_core  | Defaulting to user installation because normal site-packages is not writeable
dave_cheshire_cat_core  | Requirement already satisfied: feedparser==6.0.10 in /home/cat/.local/lib/python3.10/site-packages (from -r /tmp/tmpjgekr4d8 (line 1)) (6.0.10)
dave_cheshire_cat_core  | Requirement already satisfied: sgmllib3k in /home/cat/.local/lib/python3.10/site-packages (from feedparser==6.0.10->-r /tmp/tmpjgekr4d8 (line 1)) (1.0.0)
dave_cheshire_cat_core  | [2024-04-26 20:31:41.227] ERROR  cat.mad_hatter.plugin.Plugin._load_decorated_functions::298
dave_cheshire_cat_core  | "Error in cat.plugins.the_latest_news_in_wonderland.news: No module named 'feedparser'. Unable to load plugin the_latest_news_in_wonderland"
dave_cheshire_cat_core  | [2024-04-26 20:31:41.232] WARNING cat.mad_hatter.plugin.Plugin._load_decorated_functions::299
dave_cheshire_cat_core  | "To resolve any problem related to LEATES NEWS! plugin, contact the creator using github issue at the link https://github.com/AndreaPesce2002/the-latest-news-in-wonderland"
dave_cheshire_cat_core  | Traceback (most recent call last):
dave_cheshire_cat_core  |   File "/app/cat/mad_hatter/plugin.py", line 291, in _load_decorated_functions
dave_cheshire_cat_core  |     plugin_module = importlib.import_module(py_filename)
dave_cheshire_cat_core  |   File "/usr/local/lib/python3.10/importlib/__init__.py", line 126, in import_module
dave_cheshire_cat_core  |     return _bootstrap._gcd_import(name[level:], package, level)
dave_cheshire_cat_core  |   File "<frozen importlib._bootstrap>", line 1050, in _gcd_import
dave_cheshire_cat_core  |   File "<frozen importlib._bootstrap>", line 1027, in _find_and_load
dave_cheshire_cat_core  |   File "<frozen importlib._bootstrap>", line 1006, in _find_and_load_unlocked
dave_cheshire_cat_core  |   File "<frozen importlib._bootstrap>", line 688, in _load_unlocked
dave_cheshire_cat_core  |   File "<frozen importlib._bootstrap_external>", line 883, in exec_module
dave_cheshire_cat_core  |   File "<frozen importlib._bootstrap>", line 241, in _call_with_frames_removed
dave_cheshire_cat_core  |   File "/app/cat/plugins/the_latest_news_in_wonderland/news.py", line 2, in <module>
dave_cheshire_cat_core  |     import feedparser
dave_cheshire_cat_core  | ModuleNotFoundError: No module named 'feedparser'
dave_cheshire_cat_core  | [2024-04-26 20:31:41.281] INFO   cat.mad_hatter.plugin.Plugin._install_requirements::249
dave_cheshire_cat_core  | "Installing requirements for: mood_music_for_cheshire_cat"
dave_cheshire_cat_core  | [2024-04-26 20:31:41.286] INFO   cat.mad_hatter.plugin.Plugin._install_requirements::249
dave_cheshire_cat_core  | "Installing requirements for: mood_music_for_cheshire_cat"
dave_cheshire_cat_core  | [2024-04-26 20:31:41.291] INFO   cat.mad_hatter.plugin.Plugin._install_requirements::249
dave_cheshire_cat_core  | "Installing requirements for: mood_music_for_cheshire_cat"
dave_cheshire_cat_core  | [2024-04-26 20:31:41.296] INFO   cat.mad_hatter.plugin.Plugin._install_requirements::249
dave_cheshire_cat_core  | "Installing requirements for: mood_music_for_cheshire_cat"
dave_cheshire_cat_core  | [2024-04-26 20:31:41.306] INFO   cat.mad_hatter.plugin.Plugin._install_requirements::249
dave_cheshire_cat_core  | "Installing requirements for: mood_music_for_cheshire_cat"
dave_cheshire_cat_core  | Defaulting to user installation because normal site-packages is not writeable
dave_cheshire_cat_core  | Requirement already satisfied: feedparser==6.0.10 in /home/cat/.local/lib/python3.10/site-packages (from -r /tmp/tmpdu1d629h (line 1)) (6.0.10)
dave_cheshire_cat_core  | ERROR: Could not find a version that satisfies the requirement json==1.6.3 (from versions: none)
dave_cheshire_cat_core  | ERROR: No matching distribution found for json==1.6.3
dave_cheshire_cat_core  | [2024-04-26 20:31:42.086] ERROR  cat.mad_hatter.plugin.Plugin._install_requirements::275
dave_cheshire_cat_core  | "Error during installing mood_music_for_cheshire_cat requirements: Command '['pip', 'install', '--no-cache-dir', '-r', '/tmp/tmpdu1d629h']' returned non-zero exit status 1."
dave_cheshire_cat_core  | [2024-04-26 20:31:42.097] ERROR  cat.mad_hatter.plugin.Plugin._load_decorated_functions::298
dave_cheshire_cat_core  | "Error in cat.plugins.mood_music_for_cheshire_cat.main: No module named 'feedparser'. Unable to load plugin mood_music_for_cheshire_cat"
dave_cheshire_cat_core  | [2024-04-26 20:31:42.102] WARNING cat.mad_hatter.plugin.Plugin._load_decorated_functions::299
dave_cheshire_cat_core  | "To resolve any problem related to mood music plugin, contact the creator using github issue at the link https://github.com/AndreaPesce2002/mood-music-for-Cheshire-Cat"
dave_cheshire_cat_core  | Traceback (most recent call last):
dave_cheshire_cat_core  |   File "/app/cat/mad_hatter/plugin.py", line 291, in _load_decorated_functions
dave_cheshire_cat_core  |     plugin_module = importlib.import_module(py_filename)
dave_cheshire_cat_core  |   File "/usr/local/lib/python3.10/importlib/__init__.py", line 126, in import_module
dave_cheshire_cat_core  |     return _bootstrap._gcd_import(name[level:], package, level)
dave_cheshire_cat_core  |   File "<frozen importlib._bootstrap>", line 1050, in _gcd_import
dave_cheshire_cat_core  |   File "<frozen importlib._bootstrap>", line 1027, in _find_and_load
dave_cheshire_cat_core  |   File "<frozen importlib._bootstrap>", line 1006, in _find_and_load_unlocked
dave_cheshire_cat_core  |   File "<frozen importlib._bootstrap>", line 688, in _load_unlocked
dave_cheshire_cat_core  |   File "<frozen importlib._bootstrap_external>", line 883, in exec_module
dave_cheshire_cat_core  |   File "<frozen importlib._bootstrap>", line 241, in _call_with_frames_removed
dave_cheshire_cat_core  |   File "/app/cat/plugins/mood_music_for_cheshire_cat/main.py", line 2, in <module>
dave_cheshire_cat_core  |     import feedparser
dave_cheshire_cat_core  | ModuleNotFoundError: No module named 'feedparser'
dave_cheshire_cat_core  | [2024-04-26 20:31:42.151] INFO   cat.mad_hatter.plugin.Plugin._install_requirements::249
dave_cheshire_cat_core  | "Installing requirements for: ccat_dietician"
dave_cheshire_cat_core  | [2024-04-26 20:31:42.927] INFO   cat.memory.vector_memory.VectorMemory.connect_to_vector_memory::57
dave_cheshire_cat_core  | "Qdrant path: cat/data/local_vector_memory/"
dave_cheshire_cat_core  | [2024-04-26 20:31:42.948] INFO   cat.memory.vector_memory_collection.VectorMemoryCollection.create_db_collection_if_not_exists::94
dave_cheshire_cat_core  | "Collection 'episodic' already present in vector store"
dave_cheshire_cat_core  | [2024-04-26 20:31:42.967] INFO   cat.memory.vector_memory_collection.VectorMemoryCollection.create_db_collection_if_not_exists::94
dave_cheshire_cat_core  | "Collection 'declarative' already present in vector store"
dave_cheshire_cat_core  | [2024-04-26 20:31:42.986] INFO   cat.memory.vector_memory_collection.VectorMemoryCollection.create_db_collection_if_not_exists::94
dave_cheshire_cat_core  | "Collection 'procedural' already present in vector store"
dave_cheshire_cat_core  | INFO:     Application startup complete.

Sorry for my early "lgtm"

AlessandroSpallina avatar Apr 26 '24 18:04 AlessandroSpallina